New Year, Improved Security: Moving Up to TLS 1.2

The new year brings changes to the payments industry, making transactions more secure with the deprecation of (almost) everything before TLS 1.2.

Will this change affect your business? Yes, it will likely improve the security of payments at the point of sale and online. If you have an older system, you’ll likely want to ask your trusted IT advisor about upgrading to something that conforms to the new security standards.

For those who are not familiar with TLS, it stands for Transport Layer Security and, according to the PCI Security Standards Council, it’s a cryptographic protocol used to establish a secure communications channel between two systems.

In practice, these technologies provide a means for encrypting messages and transactions between two entities. For instance, when you purchase goods or services in a store, the point of sale system likely uses some form of encryption to send your credit card information to the payment processor.

The PCI Security Standards Council is an industry organization that works to develop, enhance and promotes the understanding of security standards for payments throughout the world. Its major members, including American Express, Discover Financial Services, Mastercard and Visa, all have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for how they operate.

The PCI Security Standards Council decided a few years back to set a deadline of June 30, 2018 for organizations to stop using any encryption protocols that came out prior to TLS 1.1 but encouraged its members to begin using TLS 1.2.

Why the change?
According to the PCI Security Standards Council, the initial TLS encryption was developed as SSL, or Secure Sockets Layer, in the early 1990s by Netscape. Since that time, many vulnerabilities have been discovered by hackers and security researchers alike. As recently as 2014, the Heartbleed vulnerability was used to steal information from the Canadian Revenue Agency. That same year, the POODLE vulnerability was discovered and it reportedly allowed hackers to take over a Twitter or Google account without needing a password.

The PCI Security Standards Council noted that online and e-commerce environments using SSL and early versions of TLS are most susceptible to attacks but the council recommends upgrades for all environments, including point of sale systems (although there are some exceptions).

Have questions about your payments setup? Want to make sure you and your customers are not vulnerable? Contact us today and we’ll review your system to make sure it complies with the new standards.